Enterprise Matrix - Linux

The matrix below includes techniques spanning the Linux platform. The full Enterprise ATT&CK matrix along with the matrices for Windows and macOS are also available for navigation.

Last Modified: 2019-04-25 20:53:07.719000
Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Drive-by CompromiseCommand-Line Interface.bash_profile and .bashrcExploitation for Privilege EscalationBinary PaddingBash HistoryAccount DiscoveryApplication Deployment SoftwareAudio CaptureCommonly Used PortAutomated ExfiltrationData Destruction
Exploit Public-Facing ApplicationExploitation for Client ExecutionBootkitProcess InjectionClear Command HistoryBrute ForceBrowser Bookmark DiscoveryExploitation of Remote ServicesAutomated CollectionCommunication Through Removable MediaData CompressedData Encrypted for Impact
Hardware AdditionsGraphical User InterfaceBrowser ExtensionsSetuid and SetgidCompile After DeliveryCredential DumpingFile and Directory DiscoveryRemote File CopyClipboard DataConnection ProxyData EncryptedDefacement
Spearphishing AttachmentLocal Job SchedulingCreate AccountSudo CachingDisabling Security ToolsCredentials in FilesNetwork Service ScanningRemote ServicesData StagedCustom Command and Control ProtocolData Transfer Size LimitsDisk Content Wipe
Spearphishing LinkScriptingHidden Files and DirectoriesSudoExecution GuardrailsExploitation for Credential AccessNetwork SniffingSSH HijackingData from Information RepositoriesCustom Cryptographic ProtocolExfiltration Over Alternative ProtocolDisk Structure Wipe
Spearphishing via ServiceSourceKernel Modules and ExtensionsValid AccountsExploitation for Defense EvasionInput CapturePassword Policy DiscoveryThird-party SoftwareData from Local SystemData EncodingExfiltration Over Command and Control ChannelEndpoint Denial of Service
Supply Chain CompromiseSpace after FilenameLocal Job SchedulingWeb ShellFile DeletionNetwork SniffingPermission Groups DiscoveryData from Network Shared DriveData ObfuscationExfiltration Over Other Network MediumFirmware Corruption
Trusted RelationshipThird-party SoftwarePort KnockingFile Permissions ModificationPrivate KeysProcess DiscoveryData from Removable MediaDomain FrontingExfiltration Over Physical MediumInhibit System Recovery
Valid AccountsTrapRedundant AccessHISTCONTROLTwo-Factor Authentication InterceptionRemote System DiscoveryInput CaptureDomain Generation AlgorithmsScheduled TransferNetwork Denial of Service
User ExecutionSetuid and SetgidHidden Files and DirectoriesSystem Information DiscoveryScreen CaptureFallback ChannelsResource Hijacking
Systemd ServiceIndicator Removal from ToolsSystem Network Configuration DiscoveryMulti-Stage ChannelsRuntime Data Manipulation
TrapIndicator Removal on HostSystem Network Connections DiscoveryMulti-hop ProxyStored Data Manipulation
Valid AccountsInstall Root CertificateSystem Owner/User DiscoveryMultiband CommunicationTransmitted Data Manipulation
Web ShellMasqueradingMultilayer Encryption
Obfuscated Files or InformationPort Knocking
Port KnockingRemote Access Tools
Process InjectionRemote File Copy
Redundant AccessStandard Application Layer Protocol
RootkitStandard Cryptographic Protocol
ScriptingStandard Non-Application Layer Protocol
Space after FilenameUncommonly Used Port
TimestompWeb Service
Valid Accounts
Web Service